b"December 13, 2001\nAudit Report No. 01-025\n\n\nAudit of the Least Cost Test Model\n\n\n\n\n           1\n\x0cFederal Deposit Insurance Corporation                                                                    Office of Audits\nWashington, D.C. 20434                                                                              Office of Inspector\nGeneral\n\n\n\n\n   DATE:              December 13, 2001\n\n\n   TO:                Mitchell L. Glassman, Director\n                      Division of Resolutions and Receiverships\n\n                      Carol M. Heindel, Acting Director\n                      Division of Information Resources Management and\n                      Acting Chief Information Officer\n\n\n   FROM:              Russell A. Rau [Electronically produced version; original signed by\n                      Russell A. Rau]\n                      Assistant Inspector General for Audits\n\n\n   SUBJECT:           Report Entitled Audit of the Least Cost Test Model\n                      (Audit Report Number 01-025)\n\n\n   The Office of Inspector General (OIG) completed an audit of the information systems\n   application used by the Division of Resolutions and Receiverships (DRR) to comply with\n   the least cost provisions 1 of the FDIC Improvement Act of 1991 (FDICIA). This\n   application includes the Least Cost Test; the optimization software package, What\xe2\x80\x99s\n   Best !; and, the Insurance Determination Cost Calculation model. Collectively, these\n   systems will be described as the Least Cost Test model (LCT model). The objectives of\n   the audit were to determine whether the LCT model (1) operated as designed and\n   (2) contained adequate controls to ensure complete and accurate results. Additional\n   details on the audit scope and methodology are included in Appendix I.\n\n\n   BACKGROUND\n\n   DRR\xe2\x80\x99s mission is to plan for and resolve failing FDIC-insured institutions promptly,\n   efficiently, and responsively in order to maintain public confidence in the national\n   financial system. Within DRR, the Franchise and Asset Marketing Branch is responsible\n\n\n   1\n     These provisions require the FDIC to resolve failing institutions in a manner that is the least costly to the\n   deposit insurance funds of all possible resolution methods.\n\n\n                                                            1\n\x0cfor resolving troubled financial institutions and selling assets at the least cost and highest\nrecovery to the Corporation's insurance funds. The FDIC has various means to resolve a\nfailing financial institution. Under FDICIA, the FDIC may exercise specified resolution\nauthorities only where the chosen method is the least costly to the deposit insurance funds\nof all possible methods for meeting the Corporation\xe2\x80\x99s obligations. In addition, the FDIC\nhas a strategic goal to ensure that institutions are resolved in the least costly manner in\naccordance with law. Therefore, the branch continues to develop, refine, and implement\nresolution policies, procedures, and strategies that minimize losses to the insurance funds.\n\nIn order to comply with the least cost provisions of FDICIA, DRR developed the LCT\nmodel, which tracks the FDIC\xe2\x80\x99s costs of liquidation and then compares these costs to\nother resolution options. Since 1991, the FDIC has been required to select the least\ncostly resolution option and has refined its process over time. As currently structured, the\nLCT model contains three parts: the Least Cost Test, What\xe2\x80\x99s Best!, and the Insurance\nDetermination Cost Calculation. The Least Cost Test is a series of Microsoft\xc2\xae 2 Excel-\nbased spreadsheets that accumulates information on the failing institution and then\ncompares the costs of various resolution options and documents the rationale for\nchoosing one option as the least cost resolution.\n\n\n\n\n2\n  Microsoft is a registered trademark or trademark of Microsoft Corporation in the United States and/or other\ncountries.\n\n\n                                                      2\n\x0cThe three parts of the model interface like this:\n\n                               LEAST COST TEST MODEL\n\n                                                                              Insurance Determination\n                                                                              Cost Calculation\n     DRR Dallas\n     prepares                                                                 Calculates additional\n     value                                                                    costs associated with\n                                                      Least Cost Test         each type of transaction\n     estimates of\n                                                      Accumulates,\n     assets and\n                                                      compares, and\n     liabilities\n                                                      documents info\n                                                      on resolution\n                                                      decision\n\n                                                     Asset\n       Bids for\n                                                     info          Bid\n        whole\n                                                                   analysis\n        banks\n\n\n\n\n        Bids for\n         asset                                      What\xe2\x80\x99s Best! Analysis\n         pools\n                                                    Determines best bid\n                                                    combination from bids\n                                                    received\n\n\n         Bids for\n         deposits\n\n\n\n\n                                               3\n\x0cWhat\xe2\x80\x99s Best! is a commercial, off-the-shelf software program that evaluates multiple\nsolutions and selects the optimal solution within the parameters established by the user.\nDRR began using the What\xe2\x80\x99s Best! optimization software in 1998 to evaluate the bids\nreceived for failing institutions. Previously, program staff manually reviewed and\nevaluated bids on failing institutions. Among the parameters established in What\xe2\x80\x99s Best!\nfor evaluating the bids received for a failing institution are the prices established by DRR\nthrough the Asset Valuation Review (AVR). The AVR is prepared by the Franchise and\nAsset Marketing Branch of DRR in Dallas. The primary purpose of an AVR is to\nestablish an estimate of the value of the institution\xe2\x80\x99s assets to the FDIC as receiver of the\nfailing institution. The estimated value of a pool of loans offered for sale is used as the\nminimum price the FDIC is willing to accept from potential purchasers of failing\ninstitutions. What\xe2\x80\x99s Best!, as customized by DRR, selects from among the multiple bid\ncombinations submitted for a failing institution\xe2\x80\x99s deposits and asset pools. Information\non the winning bid combinations is transferred to the LCT model for comparison with the\nFDIC\xe2\x80\x99s cost of liquidating the institution. Information on a bid for a whole bank\ntransaction is entered directly into the Least Cost Test.\n\nThe Insurance Determination Cost Calculation is a DRR-developed spreadsheet that\nestimates the additional costs of resolving the failing institution\xe2\x80\x99s liabilities in three basic\nresolution types. Such additional costs include travel costs for staff assigned to the\nclosing, as well as overhead expenses associated with the resolution process. These costs\nare added to the FDIC\xe2\x80\x99s estimated loss under each resolution scenario for final selection\nof the least costly transaction. The Insurance Determination Cost Calculation was added\nto the LCT model in 1999.\n\nThe Least Cost Test templates, the What\xe2\x80\x99s Best! templates, and the Insurance\nDetermination Cost Calculation template are all stored on DRR\xe2\x80\x99s shared drive for\nresolutions in a Least Cost Test template folder. At the beginning of the resolution\nprocess, copies of each template are made from this folder and then stored in a new folder\nspecific to the failing institution on DRR\xe2\x80\x99s shared drive. When our audit fieldwork\nbegan, DRR had five Washington staff who entered information into the LCT model;\nhowever, reorganization during the audit doubled the size of the Washington staff who\nenter information into the LCT model.\n\nOffice of Management and Budget (OMB) Circular No. A-130, Management of Federal\nInformation Resources, Appendix III 3 , defines an application as the use of information\nresources (information and information technology) to satisfy a specific set of user\nrequirements. It further defines adequate security as security commensurate with the risk\nand magnitude of the harm resulting from the loss, misuse, or unauthorized access to or\n\n3\n  On October 22, 2001 the FDIC Legal Division issued an opinion that stated that OMB Circular A-130,\nAppendix III, partly applied to the FDIC. Among the parts of Appendix III that applied to FDIC was the\nrequirement that FDIC implement and maintain a program to assure adequate security for all agency\ninformation collected, processed, transmitted, stored, or disseminated in general support systems and major\napplications. The FDIC Legal Division further opined that such programs are to be consistent with\ngovernment-wide policies, standards, and procedures issued by the Office of Management and Budget, the\nDepartment of Commerce, the General Services Administration, and the Office of Personnel Management.\n\n\n                                                       4\n\x0cmodification of information. This includes assuring that systems and applications used by\nthe agency operate effectively and provide appropriate confidentiality, integrity, and\navailability, through the use of cost-effective management, personnel, operational, and\ntechnical controls.\n\n\nRESULTS OF AUDIT\n\nThe LCT model correctly determined the lowest cost resolution in both cases we\nreviewed. Therefore, we concluded the model is generally operating as intended.\nHowever, security controls for the LCT model needed improvement. Specifically,\ncontrols over access, software development, and changes were weak. For example:\n\n\xe2\x80\xa2   Access privileges were not always appropriately limited, including authority to\n    modify the LCT model. Therefore, system changes could be executed without proper\n    testing and approval.\n\n\xe2\x80\xa2   Software testing to demonstrate functionality was not documented. Therefore, the\n    extent of testing and correction of test deficiencies was uncertain.\n\n\xe2\x80\xa2   Complete system software documentation has not been maintained. Therefore,\n    software maintenance modification and recovery are impaired and may not be fully\n    effective.\n\nThe FDIC has not designated the LCT model as a major application nor is it subject to\nthe more rigorous security requirements associated with that designation despite the\ncritical role it plays in the DRR resolution process. The model ensures that DRR\ncomplies with the statutory least cost provisions, processes highly sensitive information\nsuch as bids for the assets of failed institutions, and provides the basis for key FDIC\ndecisions on resolving failed institutions. The Division of Information Resources\nManagement (DIRM) has developed a new process for evaluating the sensitivity of FDIC\nsystems that should be applied to the LCT model to determine if an upgrade in status is\nwarranted.\n\n\nLEAST COST TEST MODEL OPERATED AS DESIGNED\n\nWe judgmentally selected two resolution cases and reviewed the application of the LCT\nmodel in each case. We determined that in both cases the LCT model operated as designed.\nIn each case, DRR selected the resolution option that was least costly to the insurance fund.\nIn one case, only one bid was received, so the provisions of the What\xe2\x80\x99s Best! module did not\napply. However, in the other case, the What\xe2\x80\x99s Best! module selected the best bid submitted.\nWe noted discrepancies in both the Least Cost Test reports and the Insurance Determination\nCost Calculation, but they did not affect the Least Cost Test decision.\n\n\n\n\n                                              5\n\x0cPeoples National Bank of Commerce\n\nThe first resolution case we reviewed was Peoples National Bank of Commerce\n(Peoples), Miami, Florida, which was closed on September 10, 1999. The Franchise and\nAsset Marketing Branch generated balance sheet data for the AVR as of June 17, 1999.\nInformation from the AVR was transferred correctly into the Least Cost Test. Because\nonly one bid was received, there was no need to implement the What\xe2\x80\x99s Best! module of\nthe LCT model. DRR just compared the bid to the cost of liquidation to determine which\nwould be the least costly transaction. The OIG reviewed this comparison and determined\nthat, by accepting the bid, DRR selected the least costly transaction.\n\nFinally, the OIG reviewed the Insurance Determination Cost Calculation. DRR did not\nhave any documented policies and procedures for the Insurance Determination Cost\nCalculation. We determined that outdated information on travel costs and benefits was\nused in the calculation. However, because the information was used consistently\nthroughout the calculation, there was no effect on the results of the LCT model.\nAlthough current information would have decreased the estimated total loss to the FDIC,\nthe single bid received was still less costly than the FDIC\xe2\x80\x99s cost of liquidation.\n\nFirst Alliance Bank and Trust Company\n\nThe second resolution case we reviewed was First Alliance Bank and Trust Company\n(First Alliance), Manchester, New Hampshire, which was closed on February 2, 2001.\nThe Franchise and Asset Marketing Branch generated balance sheet data for the AVR as\nof October 31, 2000. Information from the AVR was transferred correctly into the Least\nCost Test. DRR received 21 bids from 5 different bidders for First Alliance. The OIG\nreviewed the What\xe2\x80\x99s Best! analysis and determined that DRR selected the least costly\ntransaction. We noted user input errors and omissions in the LCT model documents,\nincluding the Insurance Determination Cost Calculation, but these did not affect the Least\nCost Test decision process. DRR procedures required that the resolution case documents\nbe reviewed by a Qualified Reviewer, a DRR employee designated to ensure that\ninformation is accurate and complete. Neither the preparer nor the Qualified Reviewer\nnoted these errors during the resolution process.\n\nIn both the Peoples and First Alliance resolution cases, the errors noted on the LCT model\ndocuments did not invalidate the decision made by DRR as to which was the least costly\nresolution. However, these errors did point out the necessity to strengthen the review\nprocess. After we brought this weakness to the attention of branch management, they\nimmediately developed a draft checklist to be used by the Qualified Reviewers to focus and\ndocument their reviews of the resolution cases. DRR also developed a user checklist as an\nadded control to strengthen the review process and to assist the new members of the staff\nwith completing the LCT model documents.\n\n\n\n\n                                             6\n\x0cRecommendations\n\nWe recommend that the Assistant Director, Franchise and Asset Marketing, DRR:\n\n(1)      Formalize and implement the use of the Qualified Reviewer\xe2\x80\x99s checklist as planned\n         and establish other controls to ensure that the documents generated by the LCT\n         model to support the resolution decision are accurate and complete.\n(2)      Establish a process for periodically updating the underlying estimates in the\n         Insurance Determination Cost Calculation to ensure decisions are based on the most\n         current information available.\n\n\nLCT MODEL CONTROLS NEED IMPROVEMENT\n\nWe reviewed both access controls and application software development and change\ncontrols 4 for the LCT model to determine whether adequate controls were in place. We\ndetermined that access to the model is not limited to those with a business need and that\nsome personnel with access to the model had access beyond that needed to perform their\njobs. Although their duties could be accomplished with read-only access to the LCT model,\nsome DRR personnel had read, write, and change access to the LCT model. We noted\nseveral problems with the application software development and change controls.\nSpecifically, DRR did not involve DIRM in the purchasing decision for What\xe2\x80\x99s Best! and,\nconsequently, the software was not tested for compatibility with the FDIC\xe2\x80\x99s operating\nenvironment. There is also no record that the software was tested to ensure that it would\noperate effectively in complex resolution transactions. Additionally, there is little\ndocumentation of the development of the LCT model templates to use as a starting point\nwhen making future modifications. DRR also has not developed a system for requesting,\nmaking, testing, and approving changes to the LCT model templates. Finally, there is little\nsecurity over the macros and formulas5 included in the spreadsheets to prevent accidental or\nintentional changes. The users can change the macros and formulas included in the LCT\nmodel spreadsheets by directly overwriting the ones not protected. The system also allows\nusers to make changes to the protected macros and formulas included in the LCT model\nspreadsheets by first removing the protection function and then editing those macros and\nformulas as desired. As a result, adequate security6 is not necessarily achieved for the LCT\nmodel.\n\n\n\n4\n  Access controls limit or detect access to computer resources, thereby protecting these resources against\nunauthorized modification, loss, and disclosure. Application software development and change controls\nprevent unauthorized programs or unauthorized modifications to existing programs from being implemented.\n5\n  A macro is a set of commands and keystroke instructions combined by a user to perform a specific task. This\ndiffers from a formula, which performs a specific mathematical function.\n6\n  According to OMB Circular A-130, Appendix III, \xe2\x80\x9cadequate security means security commensurate with\nthe risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or\nmodification of information. This includes assuring that systems and applications used by the agency\noperate effectively and provide appropriate confidentiality, integrity, and availability, through the use of\ncost-effective management, personnel, operational, and technical controls.\xe2\x80\x9d\n\n\n                                                      7\n\x0cAccess Controls\n\nWe obtained a list of employees with access to the LCT model. We reviewed their job\nresponsibilities to determine whether access to the LCT model templates on DRR\xe2\x80\x99s shared\ndrive was limited to appropriate personnel. Both the National Institute of Standards and\nTechnology (NIST) standards and DIRM guidance recommended that access to systems be\nlimited to those with a business need to protect the systems from unauthorized modification\nor misuse. The applicable sections of the NIST standards and DIRM guidance are included\nin Appendix II. Eighteen DRR employees have read, write, and change (RWX) access to\nthe shared drive Least Cost Test template folder. Ten of these are DRR employees directly\nresponsible for Least Cost Test activities, while the other eight are DRR employees who\nhave access to the LCT model but no direct responsibility for Least Cost Test activities. In\naddition, a DRR contractor has access to the Least Cost Test template folder but not the\nentire shared drive. Our analysis of access to the LCT model templates is as follows:\n\n\xe2\x80\xa2   All eight users who are responsible for input into the LCT model have appropriate\n    access.\n\xe2\x80\xa2   One of the four DRR managers with RWX access to the LCT model should have\n    read-only access, commensurate with his responsibilities for analysis.\n\xe2\x80\xa2   Three Qualified Reviewers have RWX access to the LCT model templates. Only one\n    of the Qualified Reviewers needs this level of access; the other two should have read-\n    only access to the failing institution folder.\n\xe2\x80\xa2   Two support staff employees have RWX access to the LCT model, but their duties\n    should require them to have read-only access to information specific to the failing\n    institution and no access to the LCT model templates.\n\xe2\x80\xa2   The one field office employee who assists with modification to the Least Cost Test\n    templates has an appropriate level of access on the shared drive.\n\nWe discussed our access concerns with the Assistant Director, Franchise and Asset\nMarketing, DRR and he agreed with our conclusions. Additionally, he has since taken\naction to limit the level of access as discussed above. DRR provided us with\ndocumentation from DIRM that access changes had been made.\n\nApplication Software Development and Change Controls\n\nAs noted previously, application software development and change controls prevent\nunauthorized programs or unauthorized modifications to existing programs from being\nimplemented. These types of controls are normally included in a security plan. The LCT\nmodel is not a major application of the FDIC and is not required to have a security plan,\nalthough OMB Circular A-130, Appendix III, still requires the agency to ensure that security\ncommensurate with risk is in place. During our review of documents and interviews with\nresponsible program officials, we noted several types of problems in this area. They are as\nfollows:\n\n\xe2\x80\xa2   When DRR purchased the What\xe2\x80\x99s Best! software in 1998, it did not involve DIRM in the\n    process. Therefore, DIRM did not have the opportunity to test the software for\n\n\n                                             8\n\x0c    compatibility with the FDIC\xe2\x80\x99s operating environment. There was also no\n    documentation that DRR had stress tested the program to determine if it would continue\n    to operate effectively in complex resolution situations. Without knowledge of the\n    purchase or access to the software, DIRM was unable to test the software\xe2\x80\x99s\n    compatibility with the Corporation\xe2\x80\x99s operating environment until November 2000 and\n    found compatibility problems that required DIRM to rescript the software. However, the\n    rescripted program did not perform as DRR needed, which led to ongoing discussions\n    between DIRM and DRR to resolve these rescripting problems. In the meantime, DRR\n    decided to plan for an upgrade of its version of What\xe2\x80\x99s Best!, because the current version\n    is not compatible with FDIC\xe2\x80\x99s planned upgrade of its computing operating environment.\n    To complete the upgrade, DRR would purchase the upgraded version of What\xe2\x80\x99s Best!\n    and develop new spreadsheets to use with the upgraded version. DRR has already\n    purchased an upgraded copy of the What\xe2\x80\x99s Best! software and submitted it to DIRM for\n    testing. This testing and implementation of the new version of What\xe2\x80\x99s Best! has to be\n    completed before FDIC rolls out its upgrade of the computing operating environment,\n    which is planned to be completed by the end of the first quarter of 2002.\n\n\xe2\x80\xa2   During the implementation of the original What\xe2\x80\x99s Best! software, Division of Research\n    and Statistics (DRS) employees, with assistance from DRR program officials, developed\n    spreadsheet templates used to document the What\xe2\x80\x99s Best! analysis. As part of the design\n    process to facilitate a user-friendly system, DRS color-coded the cells to indicate into\n    which cells bid information is entered, which cells are program-related, and which cells\n    are used to evaluate data. The FDIC no longer employs the DRS employees responsible\n    for designing the spreadsheet, and no one has documentation on how the spreadsheet\n    was created in case modifications are needed during the upgrade of the What\xe2\x80\x99s Best!\n    software.\n\n\xe2\x80\xa2   Neither DRR employees nor the DRR contractor primarily responsible for the Least\n    Cost Test templates retains documentation of changes made to the Least Cost Test\n    templates. There is no system for documenting the reason for the changes or the testing\n    and approval of the changes. One DRR employee and the contractor know the password\n    protecting the Least Cost Test template on DRR\xe2\x80\x99s shared drive, and the contractor\n    changes the template at the direction of the DRR employee. Instructions are normally\n    given by e-mail, but once the changes are made, neither the contractor nor the DRR\n    employee retain any documentation about the changes made or the testing and approval\n    of the changes.\n\n\xe2\x80\xa2   Using a copy of What\xe2\x80\x99s Best! provided to the OIG by DRR, we were able to edit the\n    macros developed for transferring data between the Least Cost Test spreadsheets and the\n    What\xe2\x80\x99s Best! spreadsheets even when the spreadsheets themselves were protected as part\n    of the formatting. For example, we edited the macro transferring information about the\n    asset pools offered for sale so that the wrong asset pool information was transferred to\n    the What\xe2\x80\x99s Best! spreadsheets. Since What\xe2\x80\x99s Best! decides which is the best bid\n    combination by comparing the bid price on a pool to the FDIC\xe2\x80\x99s AVR reserve price,\n    transferring incorrect information on the asset pool would directly affect the What\xe2\x80\x99s\n    Best! decision process. The macros tested within the LCT model appeared to be\n\n\n                                              9\n\x0c      operating as intended, although the controls over the macros could be strengthened.\n      DRR management indicated that the contractor has already added password protection\n      to the macros.\n\n\xe2\x80\xa2     When testing the Insurance Determination Cost Calculation, we discovered that some of\n      the formulas within the template had been overwritten during a resolution in June 2000.\n      These formulas automatically calculated staffing needs based on deposit base estimates\n      developed during the Y2K process. Normally, users are directed to enter only institution\n      identification and deposit account information; therefore, users in subsequent cases\n      might not realize that the underlying formulas had been changed and would then be\n      relying on results based on faulty assumptions. DRR promptly acted when the OIG\n      brought this matter to its attention. The Insurance Determination Cost Calculation is\n      being revised and will be added to the shared drive as a read-only file.\n\nRecommendations\n\nWe recommend that the Assistant Director, Franchise and Asset Marketing, DRR:\n\n(3)      Periodically review access to the shared drive and the LCT model templates to\n         ensure that employees have appropriate levels of access to the files.\n(4)      Develop and retain documentation to support the testing performed on the\n         upgraded What\xe2\x80\x99s Best! software for compatibility with the FDIC\xe2\x80\x99s operating\n         environment and performance in complex resolution solutions.\n(5)      Fully document the preparation of new spreadsheets or the modification of\n         existing spreadsheets used in the operation of the upgraded What\xe2\x80\x99s Best! program.\n(6)      Establish procedures for requesting, making, tracking, testing, and approving\n         changes to the LCT model.\n(7)      Ensure that the protection added to the LCT model macros is operating correctly.\n(8)      Incorporate steps in the resolution case review process to ensure that formulas are\n         operating as intended and have not been overwritten.\n\n\nDRR AND DIRM SHOULD REEVALUATE THE SENSITIVITY OF THE LCT\nMODEL\n\nThe LCT model was not designated as a major application within the FDIC and afforded the\nincreased security that these systems receive. According to OMB Circular A-130, Appendix\nIII, a major application is \xe2\x80\x9can application that requires special attention to security due to the\nrisk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or\nmodification of the information in the application.\xe2\x80\x9d Appendix III of this report outlines the\nsecurity requirements related to major applications. Although the LCT model was\nconsidered a mission critical system for Y2K, it was not designated a major application as\npart of the February 1999 Corporation Security Controls Program. The information\nanalyzed and generated by the system provides the basis for the Corporation to meet its\nstrategic goal to ensure that institutions are resolved in the least costly manner. Further, the\nCorporation is required by law to select the least costly resolution option, and the LCT\n\n\n\n                                               10\n\x0cmodel has been established to provide a consistent methodology to support that requirement.\nTherefore, DRR and DIRM should reevaluate the LCT model for possible reclassification as\na major application within the FDIC.\n\nIn February 1999, DIRM, using a Sensitivity Assessment Questionnaire (SAQ), evaluated\nthe LCT model as part of the Corporate Security Controls Program. The SAQ was used in\nidentifying major applications subject to enhanced security controls. At that time, based on\ninformation provided by DRR and the methodology used by DIRM to identify major\napplications, DIRM did not identify the LCT model as a major application of the FDIC.\nThe rating scale used with the 1999 SAQ questionnaire evaluated the whole areas of system\nconfidentiality, data integrity, and application availability. However, in June 2001, DIRM\npublished a draft version of a revised SAQ that allowed the program users to evaluate the\nindividual elements of each area. In addition, in response to OIG recommendations in\nanother audit, the new SAQ provides more comprehensive information on how applications\nare classified under the guidelines and provides expanded criteria against which applications\ncan be measured.\n\nAs noted previously, DRR is not currently required to have a security plan for the LCT\nmodel, because it is not designated as a major application. OMB Circular A-130,\nAppendix III, requires federal agencies to implement policies, standards, and procedures\nwhich are consistent with government-wide policies, standards, and procedures issued by\nOMB, the Department of Commerce, the General Services Administration, and the Office of\nPersonnel Management. In 1996, NIST, part of the Department of Commerce, published a\ncompilation of generally accepted principles and practices for securing information\ntechnology systems. This guidance recognized that planning at the system level would\nensure appropriate and cost-effective security for each system. One area to be considered in\nthe planning was a system-specific security plan. According to the NIST standards, the\nsecurity plan should document the rules for development and operation of the system.\nAccording to NIST, a fully documented security plan addresses access controls and\napplication software development and change controls to ensure that appropriate security\ncontrols are specified, designed into, tested, and accepted in the application.\n\nRecommendations\n\nWe recommend that the Assistant Director, Franchise and Asset Marketing, DRR and the\nAssistant Director, Information Security Staff, DIRM:\n\n(9)    Apply DIRM's revised SAQ procedures to the LCT model and determine if a\n       reclassification of the LCT model is warranted. The results should be forwarded\n       immediately to the Office of Inspector General and the Office of Internal Control\n       Management for follow-up.\n\n(10)   Develop a security plan for the LCT model as described in OMB Circular A-130,\n       Appendix III and the guidance developed by NIST for generally accepted principles\n       and practices for securing information technology systems.\n\n\n\n\n                                             11\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nOn October 23, 2001, the Director of DRR and the Acting Director of DIRM provided a\nwritten response to the draft report. The response is presented in Appendix IV to this report.\n\nThe Corporation generally concurred with recommendations 1 through 8. These\nrecommendations will remain undispositioned and open for reporting purposes. With\nrespect to recommendations 9 and 10, which are also undispositioned and open, we have\nrequested that the Corporation notify us of the results of its application of the revised\nSensitivity Assessment Questionnaire and any subsequent changes to the security plan for\nthe LCT model.\n\nWhile the responses generally agreed with the OIG\xe2\x80\x99s recommendations, both DRR and\nDIRM noted that the LCT model is not currently a major application of the FDIC and\ntherefore is not subject to the security plan provisions of OMB Circular A-130,\nAppendix III. The final report was modified to address their wording concerns with the\ndraft report and to clarify the OIG\xe2\x80\x99s intent to recommend that security controls,\ncommensurate with the risks associated with the LCT model, be implemented.\n\n\n\n\n                                             12\n\x0c                                                                              APPENDIX I\n                            SCOPE AND METHODOLOGY\n\nWe selected two resolution cases for our review of the LCT model and the work\nperformed by the DRR Washington staff. Each of the cases we reviewed represented the\nmost current version of the LCT model at the time of the failure. We did not review the\nAVR process conducted by the DRR Dallas staff because a separate audit is in process.\n\nWe reviewed the resolution case files associated with the failures of Peoples National\nBank of Commerce (Peoples), Miami, Florida, and First Alliance Bank and Trust\nCompany (First Alliance), Manchester, New Hampshire. We judgmentally selected these\ninstitutions from the universe of 20 failures since 1997. As mentioned in the Background\nsection of this report, DRR refined the resolution process over time by adding What\xe2\x80\x99s\nBest! and the Insurance Determination Cost Calculation and revising the spreadsheets\nincluded in the LCT model. We selected Peoples because this was the first resolution\ncase that incorporated the Insurance Determination Cost Calculation component into the\nLCT model.\n\nWe selected First Alliance because it was the most recent resolution case completed\nduring our review. By reviewing this most recent resolution case, we ensured that our\nreview included DRR\xe2\x80\x99s most current LCT model and resolution process. Additionally,\nbecause DRR offered a variety of resolution options for First Alliance, the variety of bids\nreceived encompassed most types of resolutions available for offer by DRR.\n\nIn order to determine if the LCT model operated as designed, we\n\n\xe2\x80\xa2   obtained and reviewed DRR\xe2\x80\x99s draft Least Cost Test manual and draft Resolutions\n    Policy manual as well as the Least Cost Test instruction sheets for established\n    procedures and guidance,\n\xe2\x80\xa2   compared the information in the AVR report to the data manually entered into the\n    balance sheet of the Least Cost Test and verified the accuracy of the data,\n\xe2\x80\xa2   compared the information from the original bid documents to the data manually\n    entered into the What\xe2\x80\x99s Best! spreadsheets and verified the accuracy of the data,\n\xe2\x80\xa2   compared the information on the best bid combinations selected by the What\xe2\x80\x99s Best!\n    analysis to the data electronically transferred to the Least Cost Test and verified the\n    accuracy of the data,\n\xe2\x80\xa2   compared the information on the original bid to the data manually entered into the\n    Least Cost Test and verified the accuracy of the data if no What\xe2\x80\x99s Best! bid analysis\n    was performed during the resolution process,\n\xe2\x80\xa2   recalculated the Least Cost Test comparison sheets to verify the mathematical\n    accuracy of the worksheets, and\n\xe2\x80\xa2   confirmed that the least costly resolution was selected by DRR.\n\n\n\n\n                                             13\n\x0cIn addition, to ensure that the What\xe2\x80\x99s Best! component operated as designed, we\n\xe2\x80\xa2 reviewed the sample case used by DRR in its training process,\n\xe2\x80\xa2 manually combined the bids received in the insured-only deposits case and the all-\n    deposits case7 and priced out each bid, and\n\xe2\x80\xa2 verified that What\xe2\x80\x99s Best! had selected the best bid combination for both the insured-\n    only deposits case and the all-deposits case.\n\n\xe2\x80\xa2   For the Insurance Determination Cost Calculation, we\n\xe2\x80\xa2   determined whether the electronic transfer of information on staffing estimates was\n    completed correctly,\n\xe2\x80\xa2   verified the average costs used in the calculation, and\n\xe2\x80\xa2   recalculated the cost of each type of insurance determination and verified the\n    accuracy of the information used during the specific resolution process.\n\nIn order to evaluate the controls established by DRR for the LCT model, we\n                                               8\n\xe2\x80\xa2 reviewed the system application controls associated with the LCT model;\n\xe2\x80\xa2 obtained and reviewed Office of Management and Budget (OMB) Circular A-130,\n    Management of Federal Information Resources, Appendix III, Security of Federal\n    Automated Information Resources;\n\xe2\x80\xa2 obtained and reviewed National Institute of Standards and Technology (NIST) Special\n    Publication 800-14, Generally Accepted Principles and Practices for Securing\n    Information Technology Systems;\n\xe2\x80\xa2 obtained and reviewed Division of Information Resources Management (DIRM)\n    directives, policies, and guidance regarding development, access, and security of FDIC\n    systems for applicability to our audit;\n\xe2\x80\xa2 obtained, reviewed, and applied DIRM\xe2\x80\x99s draft guidance for SAQs to the LCT model to\n    determine whether the LCT model could be designated a major application under the\n    draft guidance;\n\xe2\x80\xa2 obtained a list of FDIC employees with access to the LCT model and reviewed it for\n    appropriateness to job responsibilities; and\n\xe2\x80\xa2 tested the macros and formulas incorporated into the LCT model for security and edit\n    controls.\n\nAlso, we interviewed personnel from DRR Dallas, DRR headquarters, DIRM, and DRS.\nWe performed our work at the FDIC\xe2\x80\x99s offices in Washington, D.C. We conducted the\naudit from September 2000 through June 2001 in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n7\n  DRR may give potential bidders the option to acquire all deposit liabilities of a failing institution or just the\ninsured deposit liabilities.\n8\n  Application controls are incorporated directly into individual applications and are intended to ensure\ncompleteness, accuracy, authorization, and validity of all transactions during application processing.\n\n\n                                                         14\n\x0c                                                                               APPENDIX II\n\n\n   THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST)\n     STANDARDS AND THE DIVISION OF INFORMATION RESOURCES\n                  MANAGEMENT (DIRM) GUIDANCE\n\nSection 3.5.1 of Special Publication 800-14, Generally Accepted Principles and Practices for\nSecuring Information Technology Systems issued by NIST states:\n\n       Least privilege refers to the security objective of granting users only those accesses\n       they need to perform their official duties.\n\nDIRM guidance is contained in two FDIC Circulars, 1360.1 and 1360.15.\nSection 6.c of FDIC Circular 1360.1 states:\n\n       Access to sensitive information and information systems will be based on business\n       needs.\n\nSection 4.b of FDIC Circular 1360.15 states:\n\n       Sensitive AISs [Automated Information Systems] and data shall be protected from\n       unauthorized access, disclosure, and use. Access to sensitive systems shall be\n       permitted only for business purposes, as approved by a supervisor and program\n       manager, or their designee(s). Such access shall be terminated when it is no longer\n       required or when access privileges have not been used for a predetermined period of\n       time.\n\n\n\n\n                                               15\n\x0c                                                                             APPENDIX III\n\n         OMB CIRCULAR A-130, APPENDIX III, SECURITY REQUIREMENTS\n                   FOR A MAJOR SYSTEM APPLICATION\n\n1) Assign Responsibility for Security\nAssign responsibility for security of each major application to a management official\nknowledgeable in the nature of the information and process supported by the application\nand in the management, personnel, operational, and technical controls used to protect it.\nThis official shall assure that effective security products and techniques are appropriately\nused in the application and shall be contacted when a security incident occurs concerning\nthe application.\n\n2) Application Security Plan\nPlan for the adequate security of each major application, taking into account the security\nof all systems in which the application will operate. The plan shall be consistent with\nguidance issued by NIST. Advice and comment on the plan shall be solicited from the\nofficial responsible for security in the primary system in which the application will\noperate prior to the plan's implementation. A summary of the security plans shall be\nincorporated into the strategic information resources management plan required by the\nPaperwork Reduction Act. Application security plans shall include:\n    a) Application Rules -- Establish a set of rules concerning use of and behavior within\n    the application. The rules shall be as stringent as necessary to provide adequate\n    security for the application and the information in it. Such rules shall clearly delineate\n    responsibilities and expected behavior of all individuals with access to the\n    application. In addition, the rules shall be clear about the consequences of behavior\n    not consistent with the rules.\n    b) Specialized Training -- Before allowing individuals access to the application,\n    ensure that all individuals receive specialized training focused on their responsibilities\n    and the application rules.\n    c) Personnel Security -- Incorporate controls such as separation of duties, least\n    privilege and individual accountability into the application and application rules as\n    appropriate.\n    d) Contingency Planning -- Establish and periodically test the capability to perform\n    the agency function supported by the application in the event of failure of its\n    automated support.\n    e) Technical Controls -- Ensure that appropriate security controls are specified,\n    designed into, tested, and accepted in the application in accordance with appropriate\n    guidance issued by NIST.\n\n3) Review of Application Controls\nPerform an independent review or audit of the security controls in each application at\nleast every three years. Consider identifying a deficiency pursuant to OMB Circular No.\nA-123, Management Accountability and Control and the Federal Managers' Financial\n\n\n\n\n                                             16\n\x0cIntegrity Act if there is no assignment of responsibility for security, no security plan, or\nno authorization to process for the application.\n\n4) Authorize Processing\nEnsure that a management official authorizes in writing use of the application by\nconfirming that its security plan as implemented adequately secures the application.\nResults of the most recent review or audit of controls shall be a factor in management\nauthorizations. The application must be authorized prior to operating and re-authorized at\nleast every three years thereafter. Management authorization implies accepting the risk of\neach system used by the application.\n\n\n\n\n                                              17\n\x0c                                                                                    APPENDIX IV\nFDIC\nFederal Deposit Insurance Corporation\nDivision of Resolutions and Receiverships                  Division of Information Resources Management\n\n\n                                                                      October 23, 2001\n\nMEMORANDUM TO:                        Sharon M. Smith\n                                      Deputy Assistant Inspector General for Audits\n\nFROM:                                 Mitchell L. Glassman, Director [Electronically produced\n                                      version; original signed by Mitchell L. Glassman]\n                                      Division of Resolutions and Receiverships\n\n                                      Carol M. Heindel, Acting Director [Electronically produced\n                                      version; original signed by Wayne C. Gooding]\n                                      Division of Information Resources Management and\n                                      Acting Chief Information Officer\n\nSUBJECT:                              Response to OIG Draft Report Entitled Audit of\n                                      the Least Cost Test Model (Audit Number 00-724)\n\nThis memorandum will serve to respond to the issues and recommendations outlined in\nthe draft OIG Audit Report, dated September 25, 2001.\n\nGeneral Comments:\n\nOn page 6, bullet three under Results of Audit, and on page 12, first paragraph under\nApplication Software Development and Change Controls, the draft report incorrectly\nleads the reader to believe that an application security plan is required for the Least Cost\nTest Model (LCT). As the report correctly notes on pages 16 and 17, the LCT had been\nthrough the Sensitivity Assessment Questionnaire (SAQ) in 1999 and was determined not\nto be a major application. As such, there is no requirement for a security plan to be\ndeveloped. The identified language on pages 6 and 12 should be revised to clearly\nindicate that this is not an issue of non-compliance by the FDIC and to be consistent with\nthe language of pages 16 and 17.\n\nThe draft report indicates in the first full paragraph of page 17 that, \xe2\x80\x9cAn appropriately\ndeveloped security plan would require the Corporation to address our current control\nconcerns.\xe2\x80\x9d Based upon our review, the control issues identified by this report can be\naddressed in a timely, cost-effective manner by the actions specified in this management\ndecision, without the need for development of a security plan.\n\n(1)      OIG Recommendation:\n         Formalize and implement the use of the Qualified Reviewer\xe2\x80\x99s checklist as\n         planned and establish other controls to ensure that the documents generated by the\n\n\n                                                   18\n\x0c      LCT model to support the resolution decision are accurate and complete.\n\n      DRR Response:\n      The Qualified Reviewer checklist has been formalized, implemented and used. It\n      is a template located on our shared drive in the LCT folder and is password\n      protected. It is also a part of our Least Cost Test Manual. The LCT checklist has\n      been created for both the specialist who is completing the LCT and the qualified\n      reviewer to aid them in correctly completing/reviewing all of the necessary\n      documents. A memo to the Resolutions staff outlining the new procedures was\n      sent on October 4, 2001.\n\n(2)   OIG Recommendation:\n      Establish a process for periodically updating the underlying estimates in the\n      Insurance Determination Cost Calculation to ensure decisions are based on the\n      most current information available.\n\n      DRR Response:\n      A process was established pursuant to the OIG recommendation. The Insurance\n      Determination Cost Calculation Model and data will be reviewed during the first\n      quarter of each year. New data will be gathered, and the programmer will update\n      the defaults and other information in the model. Any changes will be reported to\n      the Least Cost Test Policy Board. The LCT Manual was changed on October 16,\n      2001, to reflect the new procedures.\n\n(3)   OIG Recommendation:\n      Periodically review access to the shared drive and the LCT model templates to\n      ensure that employees have appropriate levels of access to the files.\n\n      DRR Response:\n      A process was established on October 16, 2001, pursuant to the OIG\n      recommendation. The Assistant Director, Franchise and Asset Marketing, DRR,\n      will check with DRR Information Security in the first quarter of each year to\n      confirm who has access to the LCT and determine if those people are the\n      appropriate ones to have such access. Access can be altered, deleted or added at\n      that time.\n\n(4)   OIG Recommendation:\n      Develop and retain documentation to support the testing performed on the\n      upgraded \xe2\x80\x9cWhat\xe2\x80\x99s Best!\xe2\x80\x9d software for compatibility with the FDIC\xe2\x80\x99s operating\n      environment and performance in complex resolution solutions.\n\n      DRR and DIRM Response:\n      One copy of \xe2\x80\x9cWhat\xe2\x80\x99s Best!\xe2\x80\x9d 5.0 (commercial version) was purchased and tested\n      on June 26, 2001, by DIRM for compatibility with our operating system. DIRM\n      rescripted the software to ensure compatibility, and the revised software was\n      tested by DIRM and DRR. DIRM has retained the documentation of their testing\n\n\n\n                                          19\n\x0c      and rescripting. \xe2\x80\x9cWhat\xe2\x80\x99s Best!\xe2\x80\x9d 5.0 (commercial version) was \xe2\x80\x9cstress tested\xe2\x80\x9d by\n      DRR to determine if the software would perform in a complex resolution\n      scenario. \xe2\x80\x9cWhat\xe2\x80\x99s Best\xe2\x80\x9d passed the stress test, and DRR has retained\n      documentation of the test. DIRM is now buying additional copies of the\n      commercial version and upgrades of the professional version for DRR personnel\n      who use the LCT model. Once the professional version is received, it will also be\n      stress tested.\n\n(5)   OIG Recommendation:\n      Fully document the preparation of new spreadsheets or the modification of\n      existing spreadsheets used in the operation of the upgraded \xe2\x80\x9cWhat\xe2\x80\x99s Best!\xe2\x80\x9d\n      program.\n\n      DRR Response:\n      The spreadsheets that were created for \xe2\x80\x9cWhat\xe2\x80\x99s Best!\xe2\x80\x9d version 3.1 were used to\n      stress test version 5.0. The software worked correctly with the original\n      spreadsheets, and DRR has retained the corresponding documentation. (See\n      response to # 4.) If, at some point, the spreadsheets need to be changed or new\n      spreadsheets need to be created for use with \xe2\x80\x9cWhat\xe2\x80\x99s Best!\xe2\x80\x9d version 5.0, the\n      preparation, modification and testing will be fully documented, and the\n      documentation will be retained by DRR. These procedures are included in the\n      LCT Manual.\n\n(6)   OIG Recommendation:\n      Establish procedures for requesting, making, tracking, testing, and approving\n      changes to the LCT model.\n\n      DRR Response:\n      All changes are requested by e-mail from the LCT point of contact to the\n      programmer and his supervisor. The programmer must obtain the password from\n      the point of contact and then proceeds to make any changes. The point of contact\n      tracks the change process and tests the changes for approval. After the changes\n      are approved, the point of contact changes the password. The point of contact\n      uses a spreadsheet to document the changes. These procedures are included in the\n      LCT Manual.\n\n(7)   OIG Recommendation:\n      Ensure that the protection added to the LCT model macros is operating correctly.\n\n      DRR Response:\n      Password protection has been added to the LCT model macros. The LCT point of\n      contact has the password and gives it to the programmer when a requested change\n      to the model involves changing the macros. Once the change is complete, the\n      password is changed by the LCT point of contact. The LCT point of contact\n      periodically checks the password protection for the LCT macros. Documentation\n      of the changes and testing will be maintained by the LCT point of contact.\n\n\n\n                                          20\n\x0c(8)    OIG Recommendation:\n       Incorporate steps in the resolution case review process to ensure that formulas are\n       operating as intended and have not been overwritten.\n\n       DRR Response:\n       The Insurance Determination Model has been revised and is now a password-\n       protected template. A step has been added to the Qualified Reviewer checklist to\n       determine if the Insurance Determination Model has been correctly completed and\n       to verify that the template has not been overwritten. These procedures are\n       included in the LCT Manual.\n\n(9)    OIG Recommendation:\n       Apply DIRM\xe2\x80\x99s revised SAQ procedures to the LCT model and determine if a\n       reclassification of the LCT model is warranted. The results should be forwarded\n       immediately to the Office of Inspector General and the Office of Internal Control\n       Management for follow-up.\n\n       DRR and DIRM Response:\n       Utilizing the Corporation\xe2\x80\x99s revised SAQ procedures, the LCT model will be\n       evaluated by January 31, 2002. The results will be reviewed by the Least Cost\n       Test Policy Board.\n\n(10)   OIG Recommendation:\n       Develop a security plan for the LCT model as described in OMB Circular A-130\n       and the guidance developed by NIST for generally accepted principles and\n       practices for securing information technology systems.\n\n       DRR and DIRM Response:\n       The referenced OMB Circular A-130 requirement refers to a major system\n       application. The LCT model was reviewed in 1999 and was determined not to be\n       a major system application. If it is determined that the LCT model is a major\n       system application, a security plan as described in Circular A-130 will be\n       developed.\n\ncc:    Vijay Deshpande, Director, OICM\n       James Wigand, Deputy Director, DRR\n       Giovanni Recchia, Associate Director, DRR\n       Herbert Held, Assistant Director, DRR\n       Susan Whited, Assistant Director, DRR\n       Dean Eisenberg, Senior Internal Review Specialist, DRR\n       Wendy Hoskins, Resolutions and Receiverships Specialist, DRR\n       Janet Roberson, Deputy Director, DIRM\n       Wayne Gooding, Deputy Director, DIRM\n       Rack Campbell, Chief ITES Section, DIRM\n       James Lewis, Senior Computer Specialist, DIRM\n\n\n\n                                           21\n\x0cKenneth Jones, Section Chief, OICM\nPenelope Moreland-Gunn, Manager Information Systems, DRR\nSusan Seigman, Information Security Specialist, DRR\n\n\n\n\n                               22\n\x0c"